Digital identity is broken. Can we fix it?

Digital identity is broken. Can we fix it?

Jeremy Newman

founder and executive director at ShowUp

Views 297

Digital identity is broken. Can we fix it?

14.12.2016 11:30 am

While we have all been enjoying a life online, an awkward truth threatens to wreck everything. It is this: a password is the same irrespective of who enters it. This means that when an organisation asks for passwords or other ‘memorable’ information for verification purposes, it is unable to tell the difference between their customer and an impostor.

So why do organisations persist in asking their customers to do something that a fraudster can also do?

Since ancient times passwords have played a role in keeping the enemy from the gates and telling friend from foe. The first use of passwords in the context of computer logins was in 1961 for an early multi-user computer system developed at MIT. Fast-forward to today, and people have to use passwords to interact with just about every supplier, government department and service on offer. Indeed, the way businesses verify customers has barely changed in over half a century.

The problem is that the dominant method of verifying people – testing their knowledge – was flawed from the outset, and it still is.

How we’ve lost our way

Given that passwords cannot distinguish between customer and fraudster, you might hope that this flaw is benign. But it’s worse than useless. By using knowledge-based authentication (KBA), organisations expose their customers to risk.

Knowledge-based authentication drives fraudsters to obtain data by whatever means they can, and then either use it to malicious ends themselves, or trade in it. Vast markets have opened up on the dark web where personal information is being bought, sold and collated, patiently tended in databases like shadow credit reference agencies. The value of this data to criminals lies in the fact that, armed with this data, organisations can be easily fooled. Let’s not forget that KBA is responsible for every phishing email that’s ever been sent.

The reality is that wherever access to a bank account, email account or indeed any online resource at all is controlled with a password, if you know it, so can the fraudsters. All knowledge can be shoulder-surfed, discovered, leaked, hacked, intercepted and (ahem!) guessed.

I believe that passwords persist in part because they give people the sense they have a secret. Until, that is, an organisation gets fooled and customers are left to deal with the resulting mess. They call it identity fraud, but really it’s corporate negligence on a global scale. We live in this Kafkaesque world where we all must jump through hoops to “prove who we are”, while the practice is widely known to be little short of a complete waste of time.

It’s time to change habits

The world is in desperate need of a way to tell the good guys from the bad guys. If it’s not knowledge, then what? What if we could find a means of differentiation that is already present in the population?

The assumption has always been that you cannot see your customer online. As the famous cartoon in the New Yorker had it - on the internet, nobody knows you’re a dog. However, in the past decade this assumption is no longer valid. For the first time nearly everyone has a camera phone with internet connectivity. Therefore it is now possible to draw upon the tried-and tested mechanism of visual identity, and the innate ability of people to recognise one another.

To harness visual identity is to build upon a foundation laid down over several millennia of human evolution. Using this powerful natural capability goes with the grain of everyday experience as opposed to against it. Visual identity is practised by around 7.2 billion people every day, and it manifestly works. Also, there’s no need to distribute anything – no secrets, no special hardware, or even documents.

After many attempts at fixing the problem by adding layers of complexity, we are about to turn full circle. Going back to our roots promises to make the job of the fraudster much harder, while making life much easier for the true customer. There’s an old saying, “People are the weakest link in security”. As ever, it depends on what organisations ask them to do.

Latest blogs

Hirander Misra GMEX Group

Are UK Banks profiting from the current coronavirus crisis and failing SMEs?

A UK business could be eligible for a Coronavirus Business Interruption Loan Scheme (CBILS), as set out by the UK Government. However, it appears that despite the Government’s best intentions, this scheme is not working in practice and some urgent Read more »

Otabek Nuritdinov Safenetpay

A strong fintech needs more than just access to funding

  Investors, both private and institutional, are excited about investing in fintechs that are in the payments services business. What are the issues that really should matter to you, as a client? In 2019, institutional investors Read more »

Martijn Bos Holland FinTech

Get your head up in the clouds, it’s good for business

How Digital Transformation is reshaping competition in financial services The message is clear and it’s coming at us from all sides: digitalize now. No business unit seems to be immune to the onslaught of cloud-based, AI-driven, real-time, Read more »

Sonny Aulakh Pure Storage

How to support remote working without compromising productivity

As the need to work remotely continues to impact the daily lives of people and businesses around the globe, it places unexpected demand on IT departments. How do you transition supporting 30% of your workforce to work remotely to 100% in a matter of Read more »

Martijn Bos Holland FinTech

Making it through the rain: Finance in times of turmoil

You’d need to be living on a remote island, without electricity or internet to not be aware of what the world is going through right now – a medical crisis that has spread across the world and disrupted supply chains, goods and services production, Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel